I'm working on a fairly standard web site with public content plus personal/customized content for registered users. I know I need to use HTTPS when users are logging in or sending credit card details. Is there a reason I shouldn't just use HTTPS for the whole site?

5 Answers
5

Yes, there's a reason you shouldn't use it for the whole site. Some browsers (depending on brand and version) will not cache content from HTTPS requests to disk, which can seriously slow the browsing experience for users, as static assets will be loaded with every page request (style-sheets, javascript, header images etc). For example, Mozilla states that:

"Disk caching saves copies of the
downloaded files on the hard drive so
they doesn't need to be downloaded to
be redisplayed. These pages can be
viewed by anyone with permission to
the cache folder. Pages transmitted
with SSL encryption often contain
sensitive information and caching of
these pages to disk may present a
privacy risk. This preference controls
whether to cache to disk pages that
were transmitted with SSL encryption."

How individual browsers cache HTTPS is somewhat disputed but there still remains a good chance that many users will have disk caching disabled for HTTPS requests.

Secondly, HTTPS requires a "handshake" for every request and this comes with some overhead, which will effect performance and make requests larger (typically only by a few KB - but it's for every request and this adds up). HTTP KeepAlive can limit this, but it's still an overhead that you don't need for non-secure content.

Everything here is true. However we've been running a full SSL website for approx 5 years now and we've never had a complaint from our users. Most of them are corporate so on IE6 and IE7 with a few on Firefox these days. The caching seemed to work fine, but we had explicit content-expiry rules set on a lot of images, I don't know if that made a difference.
–
Mark HendersonAug 2 '10 at 21:35

4

Don't guess: test :-). One simple (though rough & not 100% complete) way of checking if caching is working is to check your server logs for user requests. Are they requesting all images/files or just the uncached content? Individual users are bad judges of latency, but when aggregated, the milliseconds can be visible, so I would certainly make sure that the speed is really acceptable.
–
John MuellerAug 2 '10 at 22:37

If you are planning to run full SSL, make sure that any hosted third party services you're using (ad server, analytics, sharing tools, etc) have SSL versions available, or you'll get mixed content warnings on some browsers.

Another problem is that everything you serve from any page then really needs to go via SSL, including third-party resources. We've found this is a real problem with something like YouTube, for example. Since Google doesn't make YouTube videos available via SSL, it means that any YouTube video you do want to embed in a page on your site will cause the "this page contains secure and non-secure content" warning. Whilst this is subtle in most browsers, it's a huge dialog in IE and can cause some users to abandon your site pretty quickly, clutching their data to their chest in fear.

You should also think about growth. Once you have more then a single webserver, you will have to decide: Do you want to provide HTTPS on each individual server, and if so, will you be using the same certificate or a cert per server as is often recommended. I have seen more common setups where there are fewer HTTPS servers as they are generally only used for processing of sensitive details and more HTTP servers since those tend to receive the bulk of the traffic. HTTPS adds a little more complexity to each of your setups. Just something to keep in mind.

As I see it, the only reason to not use HTTPS on your entire site are that it will slow your server some and visitors have a slightly slower browsing experience. That being said, there are benefits. Specifically:

You will never have to worry about putting data you want to keep secure on any page of your site. You can't forget.

Users will notice your site is encrypted entirely and may feel more secure in giving you their information.

Users know that your website belongs to your company and hasn't been taken over.

Beyond making it easier for your developers to not worry about showing secure data on an unencrypted page, there is really no technical reason to use HTTPS on every page. By the same reasoning, there is very little reason not to.

Other reason not to use HTTPS on entire site... more bandwidth will be used since pages won't be cached client side (theoretically).
–
w3dAug 4 '10 at 11:56

"You will never have to worry about putting data you want to keep secure on any page of your site." - I'm not sure how true this is. Google will index _and cache_(!) these pages by default. And if requested, appears to serve the cached version as plain HTTP.
–
w3dAug 4 '10 at 12:11